Java Code Examples for org.apache.hadoop.security.UserGroupInformation#loginUserFromSubject()

The following examples show how to use org.apache.hadoop.security.UserGroupInformation#loginUserFromSubject() . These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: atlas   File: LoginProcessor.java    License: Apache License 2.0 6 votes vote down vote up
protected void doServiceLogin(Configuration hadoopConfig,
        org.apache.commons.configuration.Configuration configuration) {
    UserGroupInformation.setConfiguration(hadoopConfig);

    UserGroupInformation ugi = null;
    UserGroupInformation.AuthenticationMethod authenticationMethod =
            SecurityUtil.getAuthenticationMethod(hadoopConfig);
    try {
        if (authenticationMethod == UserGroupInformation.AuthenticationMethod.SIMPLE) {
            UserGroupInformation.loginUserFromSubject(null);
        } else if (authenticationMethod == UserGroupInformation.AuthenticationMethod.KERBEROS) {
            String bindAddress = getHostname(configuration);
            UserGroupInformation.loginUserFromKeytab(
                    getServerPrincipal(configuration.getString(AUTHENTICATION_PRINCIPAL), bindAddress),
                    configuration.getString(AUTHENTICATION_KEYTAB));
        }
        LOG.info("Logged in user {}", UserGroupInformation.getLoginUser());
    } catch (IOException e) {
        throw new IllegalStateException(String.format("Unable to perform %s login.", authenticationMethod), e);
    }
}
 
Example 2
Source Project: hdfs-shell   File: ContextCommands.java    License: Apache License 2.0 6 votes vote down vote up
@CliCommand(value = "su", help = "Changes current active user [*experimental*]")
    public synchronized String su(@CliOption(key = {""}, help = "su [<username>]") String newUser) throws IOException {
        if (StringUtils.isEmpty(newUser)) {
            return "No username is defined! ";
        }
//        else {
//            newUser = BashUtils.parseArguments(newUser)[0];
//        }
        final FileSystem fs = getFileSystem();
        final Path usersDir = new Path("/user");
        if (fs.exists(usersDir)) {
            final String finalNewUser = newUser;
            final boolean foundUser = Arrays.stream(fs.listStatus(usersDir)).
                    filter(FileStatus::isDirectory).
                    anyMatch(fileStatus -> fileStatus.getPath().getName().equals(finalNewUser));
            if (!foundUser) {
                return "User " + newUser + " does not exist!";
            }
        }
        System.setProperty("HADOOP_USER_NAME", newUser);
        UserGroupInformation.loginUserFromSubject(null);
        currentDir = null;
        return "";
    }
 
Example 3
Source Project: incubator-atlas   File: LoginProcessor.java    License: Apache License 2.0 6 votes vote down vote up
protected void doServiceLogin(Configuration hadoopConfig,
        org.apache.commons.configuration.Configuration configuration) {
    UserGroupInformation.setConfiguration(hadoopConfig);

    UserGroupInformation ugi = null;
    UserGroupInformation.AuthenticationMethod authenticationMethod =
            SecurityUtil.getAuthenticationMethod(hadoopConfig);
    try {
        if (authenticationMethod == UserGroupInformation.AuthenticationMethod.SIMPLE) {
            UserGroupInformation.loginUserFromSubject(null);
        } else if (authenticationMethod == UserGroupInformation.AuthenticationMethod.KERBEROS) {
            String bindAddress = getHostname(configuration);
            UserGroupInformation.loginUserFromKeytab(
                    getServerPrincipal(configuration.getString(AUTHENTICATION_PRINCIPAL), bindAddress),
                    configuration.getString(AUTHENTICATION_KEYTAB));
        }
        LOG.info("Logged in user {}", UserGroupInformation.getLoginUser());
    } catch (IOException e) {
        throw new IllegalStateException(String.format("Unable to perform %s login.", authenticationMethod), e);
    }
}
 
Example 4
@Override
public UserGroupInformation getLoginUgi(Configuration hdfsConfiguration) throws IOException {
  AccessControlContext accessContext = AccessController.getContext();
  Subject subject = Subject.getSubject(accessContext);
  UserGroupInformation loginUgi;
  //HADOOP-13805
  HadoopConfigurationUtils.configureHadoopTreatSubjectExternal(hdfsConfiguration);
  UserGroupInformation.setConfiguration(hdfsConfiguration);
  if (UserGroupInformation.isSecurityEnabled()) {
    loginUgi = UserGroupInformation.getUGIFromSubject(subject);
  } else {
    UserGroupInformation.loginUserFromSubject(subject);
    loginUgi = UserGroupInformation.getLoginUser();
  }
  if (LOG.isDebugEnabled()) {
    LOG.debug(
        "Subject = {}, Principals = {}, Login UGI = {}",
        subject,
        subject == null ? "null" : subject.getPrincipals(),
        loginUgi
    );
  }
  return loginUgi;
}
 
Example 5
@Test
public void testProviderRefresh() throws IOException {
    TestingTools.startServer(new FakeServer(fakeKDC), grpcCleanup);
    Configuration conf = TestingTools.getBrokerConfig();
    Subject alice = fakeKDC.login(ALICE);
    UserGroupInformation.loginUserFromSubject(alice);
    AccessToken token = refresh(conf);
    assertEquals("FakeAccessToken/AuthenticatedUser=" + ALICE + ";Owner=" + ALICE + ";Target=" + MOCK_BUCKET, token.getToken());
    UserGroupInformation.setLoginUser(null);
}
 
Example 6
/**
 * Same as testProviderRefresh but with access boundary disabled
 */
@Test
public void testProviderRefreshWithoutAccessBoundary() throws IOException {
    TestingTools.startServer(new FakeServer(fakeKDC), grpcCleanup);
    Configuration conf = TestingTools.getBrokerConfig();
    conf.set("gcp.token.broker.access.boundary.enabled", "false");
    Subject alice = fakeKDC.login(ALICE);
    UserGroupInformation.loginUserFromSubject(alice);
    AccessToken token = refresh(conf);
    assertEquals("FakeAccessToken/AuthenticatedUser=" + ALICE + ";Owner=" + ALICE + ";Target=", token.getToken());
    UserGroupInformation.setLoginUser(null);
}
 
Example 7
@Test
public void testGetSessionToken() throws IOException {
    TestingTools.startServer(new FakeServer(fakeKDC), grpcCleanup);
    Configuration conf = TestingTools.getBrokerConfig();
    Subject alice = fakeKDC.login(ALICE);
    UserGroupInformation.loginUserFromSubject(alice);
    String token = getSessionToken(conf);
    assertEquals("FakeSessionToken/AuthenticatedUser=" + ALICE + ";Owner=" + ALICE + ";Target=" + MOCK_BUCKET, token);
    UserGroupInformation.setLoginUser(null);
}
 
Example 8
/**
 * Same as testGetSessionToken but with access boundary disabled
 */
@Test
public void testGetSessionTokenWithoutAccessBoundary() throws IOException {
    TestingTools.startServer(new FakeServer(fakeKDC), grpcCleanup);
    Configuration conf = TestingTools.getBrokerConfig();
    conf.set("gcp.token.broker.access.boundary.enabled", "false");
    Subject alice = fakeKDC.login(ALICE);
    UserGroupInformation.loginUserFromSubject(alice);
    String token = getSessionToken(conf);
    assertEquals("FakeSessionToken/AuthenticatedUser=" + ALICE + ";Owner=" + ALICE + ";Target=", token);
    UserGroupInformation.setLoginUser(null);
}
 
Example 9
@Override
public UserGroupInformation getLoginUgi(Configuration hdfsConfiguration) throws IOException {
  // check system property to see if MapR U/P security is enabled
  String maprLoginEnabled = System.getProperty(
      MAPR_USERNAME_PASSWORD_SECURITY_ENABLED_KEY,
      MAPR_USERNAME_PASSWORD_SECURITY_ENABLED_DEFAULT
  );
  boolean isMapRLogin = Boolean.parseBoolean(maprLoginEnabled);
  AccessControlContext accessControlContext = AccessController.getContext();
  Subject subject = Subject.getSubject(accessControlContext);
  //HADOOP-13805
  HadoopConfigurationUtils.configureHadoopTreatSubjectExternal(hdfsConfiguration);
  // SDC-4015 As privateclassloader is false for MapR, UGI is shared and it also needs to be under jvm lock
  UserGroupInformation.setConfiguration(hdfsConfiguration);
  UserGroupInformation loginUgi;

  if (UserGroupInformation.isSecurityEnabled() && !isMapRLogin) {
    // The code in this block must only be executed in case Kerberos is enabled.
    // MapR implementation of UserGroupInformation.isSecurityEnabled() returns true even if Kerberos is not enabled.
    // System property helps to avoid this code path in such a case
    loginUgi = UserGroupInformation.getUGIFromSubject(subject);
  } else {
    UserGroupInformation.loginUserFromSubject(subject);
    loginUgi = UserGroupInformation.getLoginUser();
  }
  if (LOG.isDebugEnabled()) {
    LOG.debug(
        "Subject = {}, Principals = {}, Login UGI = {}",
        subject,
        subject == null ? "null" : subject.getPrincipals(),
        loginUgi
    );
  }
  return loginUgi;

}
 
Example 10
Source Project: atlas   File: SSLAndKerberosTest.java    License: Apache License 2.0 4 votes vote down vote up
public void setUp() throws Exception {
    jksPath = new Path(Files.createTempDirectory("tempproviders").toString(), "test.jks");
    providerUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file/" + jksPath.toUri();

    String persistDir = TestUtils.getTempDirectory();

    setupKDCAndPrincipals();
    setupCredentials();

    // client will actually only leverage subset of these properties
    final PropertiesConfiguration configuration = getSSLConfiguration(providerUrl);

    persistSSLClientConfiguration(configuration);

    TestUtils.writeConfiguration(configuration, persistDir + File.separator +
        ApplicationProperties.APPLICATION_PROPERTIES);

    String confLocation = System.getProperty("atlas.conf");
    URL url;
    if (confLocation == null) {
        url = SSLAndKerberosTest.class.getResource("/" + ApplicationProperties.APPLICATION_PROPERTIES);
    } else {
        url = new File(confLocation, ApplicationProperties.APPLICATION_PROPERTIES).toURI().toURL();
    }
    configuration.load(url);
    configuration.setProperty(TLS_ENABLED, true);
    configuration.setProperty("atlas.authentication.method.kerberos", "true");
    configuration.setProperty("atlas.authentication.keytab",userKeytabFile.getAbsolutePath());
    configuration.setProperty("atlas.authentication.principal","dgi/[email protected]"+kdc.getRealm());

    configuration.setProperty("atlas.authentication.method.file", "false");
    configuration.setProperty("atlas.authentication.method.trustedproxy", "false");
    configuration.setProperty("atlas.authentication.method.kerberos", "true");
    configuration.setProperty("atlas.authentication.method.kerberos.principal", "HTTP/[email protected]" + kdc.getRealm());
    configuration.setProperty("atlas.authentication.method.kerberos.keytab", httpKeytabFile.getAbsolutePath());
    configuration.setProperty("atlas.authentication.method.kerberos.name.rules",
            "RULE:[1:[email protected]$0](.*@EXAMPLE.COM)s/@.*//\nDEFAULT");

    configuration.setProperty("atlas.authentication.method.file", "true");
    configuration.setProperty("atlas.authentication.method.file.filename", persistDir
            + "/users-credentials");
    configuration.setProperty("atlas.auth.policy.file",persistDir
            + "/policy-store.txt" );
    TestUtils.writeConfiguration(configuration, persistDir + File.separator +
      "atlas-application.properties");

    setupUserCredential(persistDir);
    setUpPolicyStore(persistDir);

    subject = loginTestUser();
    UserGroupInformation.loginUserFromSubject(subject);
    UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(
        "testUser",
        UserGroupInformation.getLoginUser());

    // save original setting
    originalConf = System.getProperty("atlas.conf");
    System.setProperty("atlas.conf", persistDir);

    originalHomeDir = System.getProperty("atlas.home");
    System.setProperty("atlas.home", TestUtils.getTargetDirectory());

    dgiCLient = proxyUser.doAs(new PrivilegedExceptionAction<AtlasClient>() {
        @Override
        public AtlasClient run() throws Exception {
            return new AtlasClient(configuration, DGI_URL);
        }
    });


    secureEmbeddedServer = new TestSecureEmbeddedServer(21443, getWarPath()) {
        @Override
        public PropertiesConfiguration getConfiguration() {
            return configuration;
        }
    };
    secureEmbeddedServer.getServer().start();
}
 
Example 11
@BeforeClass
public void setUp() throws Exception {
    jksPath = new Path(Files.createTempDirectory("tempproviders").toString(), "test.jks");
    providerUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file/" + jksPath.toUri();

    String persistDir = TestUtils.getTempDirectory();

    setupKDCAndPrincipals();
    setupCredentials();

    // client will actually only leverage subset of these properties
    final PropertiesConfiguration configuration = getSSLConfiguration(providerUrl);

    persistSSLClientConfiguration(configuration);

    TestUtils.writeConfiguration(configuration, persistDir + File.separator +
        ApplicationProperties.APPLICATION_PROPERTIES);

    String confLocation = System.getProperty("atlas.conf");
    URL url;
    if (confLocation == null) {
        url = SSLAndKerberosTest.class.getResource("/" + ApplicationProperties.APPLICATION_PROPERTIES);
    } else {
        url = new File(confLocation, ApplicationProperties.APPLICATION_PROPERTIES).toURI().toURL();
    }
    configuration.load(url);
    configuration.setProperty(TLS_ENABLED, true);
    configuration.setProperty("atlas.authentication.method.kerberos", "true");
    configuration.setProperty("atlas.authentication.keytab",userKeytabFile.getAbsolutePath());
    configuration.setProperty("atlas.authentication.principal","dgi/[email protected]"+kdc.getRealm());

    configuration.setProperty("atlas.authentication.method.file", "false");
    configuration.setProperty("atlas.authentication.method.kerberos", "true");
    configuration.setProperty("atlas.authentication.method.kerberos.principal", "HTTP/[email protected]" + kdc.getRealm());
    configuration.setProperty("atlas.authentication.method.kerberos.keytab", httpKeytabFile.getAbsolutePath());
    configuration.setProperty("atlas.authentication.method.kerberos.name.rules",
            "RULE:[1:[email protected]$0](.*@EXAMPLE.COM)s/@.*//\nDEFAULT");

    configuration.setProperty("atlas.authentication.method.file", "true");
    configuration.setProperty("atlas.authentication.method.file.filename", persistDir
            + "/users-credentials");
    configuration.setProperty("atlas.auth.policy.file",persistDir
            + "/policy-store.txt" );

    TestUtils.writeConfiguration(configuration, persistDir + File.separator +
      "atlas-application.properties");

    setupUserCredential(persistDir);
    setUpPolicyStore(persistDir);

    subject = loginTestUser();
    UserGroupInformation.loginUserFromSubject(subject);
    UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(
        "testUser",
        UserGroupInformation.getLoginUser());

    // save original setting
    originalConf = System.getProperty("atlas.conf");
    System.setProperty("atlas.conf", persistDir);

    originalHomeDir = System.getProperty("atlas.home");
    System.setProperty("atlas.home", TestUtils.getTargetDirectory());

    dgiCLient = proxyUser.doAs(new PrivilegedExceptionAction<AtlasClient>() {
        @Override
        public AtlasClient run() throws Exception {
            return new AtlasClient(configuration, DGI_URL);
        }
    });


    secureEmbeddedServer = new TestSecureEmbeddedServer(21443, getWarPath()) {
        @Override
        public PropertiesConfiguration getConfiguration() {
            return configuration;
        }
    };
    secureEmbeddedServer.getServer().start();
}
 
Example 12
Source Project: hbase-tools   File: CommandAdapter.java    License: Apache License 2.0 4 votes vote down vote up
public static void loginUserFromSubject(Configuration conf, Subject subject) throws IOException {
    UserGroupInformation.setConfiguration(conf);
    UserGroupInformation.loginUserFromSubject(subject);
}
 
Example 13
Source Project: hbase-tools   File: CommandAdapter.java    License: Apache License 2.0 4 votes vote down vote up
public static void loginUserFromSubject(Configuration conf, Subject subject) throws IOException {
    UserGroupInformation.setConfiguration(conf);
    UserGroupInformation.loginUserFromSubject(subject);
}
 
Example 14
Source Project: hbase-tools   File: CommandAdapter.java    License: Apache License 2.0 4 votes vote down vote up
public static void loginUserFromSubject(Configuration conf, Subject subject) throws IOException {
    UserGroupInformation.setConfiguration(conf);
    UserGroupInformation.loginUserFromSubject(subject);
}
 
Example 15
Source Project: hbase-tools   File: CommandAdapter.java    License: Apache License 2.0 4 votes vote down vote up
public static void loginUserFromSubject(Configuration conf, Subject subject) throws IOException {
    UserGroupInformation.setConfiguration(conf);
    UserGroupInformation.loginUserFromSubject(subject);
}